Distributed storage and distributed processing query statement reconstruction in accordance with a policy

ABSTRACT

A non-transitory computer readable storage medium has instructions executed by a processor to receive a query statement. The query statement is one of many distributed storage and distributed processing query statements with unique data access methods. Token components are formed from the query statement. The token components are categorized as data components or logic components. Modified token components are formed from the token components in accordance with a policy. The query statement is reconstructed with the modified token components and original computational logic and control logic associated with the query statement.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a Continuation of U.S. patent application Ser. No.14/967,064 filed Dec. 11, 2015, which claims priority to U.S.Provisional Patent Application Ser. No. 62/101,341, filed Jan. 8, 2015,the contents of which are incorporated herein by reference.

FIELD OF THE INVENTION

This invention relates generally to data processing in a network. Moreparticularly, this invention is directed toward distributed storage anddistributed processing query statement reconstruction in accordance witha policy.

BACKGROUND OF THE INVENTION

Query statements can be formed to obtain data from distributed storageand distributed processing resources. The distributed storage may be adistributed database or a distributed file system. Apache Hadoop is anopen-source software framework for distributed storage and distributedprocessing of very large data sets on computer clusters built fromcommodity hardware.

The core of Apache Hadoop® consists of a storage part (HadoopDistributed File System (HDFS)) and a processing part (MapReduce®).Hadoop splits files into large blocks and distributes them amongst thenodes in the cluster. To process the data, Hadoop MapReduce transferspackaged code for nodes to process in parallel, based on the data eachnode needs to process. This approach takes advantage of data locality(nodes manipulating the data that they have) to allow the data to beprocessed faster and more efficiently than it would be in a moreconventional supercomputer architecture that relies on a parallel filesystem where computation and data are connected via high-speednetworking.

The Hadoop ecosystem has a variety of access methods. Apache Hive® is adata warehouse infrastructure built on top of Hadoop for datasummarization, query and analysis. Apache Spark® is an open sourcecluster computing framework that allows user programs to load data intoa cluster's memory and query it repeatedly. Solr® is an open sourceenterprise search platform that enables full-text search, hithighlighting, faceted search real-time indexing, dynamic clustering,database integration, NoSQL features and rich document handling.

Each access method has a query language associated with it to specifywhat data should be returned by the server and what operations should bedone with the data. These data access query languages typically behavelike set theory operations, which are neither purely object-oriented norpurely procedural. Therefore, they are not easily broken down intocomponents that can be re-engineered.

Therefore, it would be desirable to identify techniques to parse queriesassociated with different access methods. Further, it would be desirableto provide techniques for reconstructing queries associated withdifferent access methods to enforce a policy.

SUMMARY OF THE INVENTION

A non-transitory computer readable storage medium has instructionsexecuted by a processor to receive a query statement. The querystatement is one of many distributed storage and distributed processingquery statements with unique data access methods. Token components areformed from the query statement. The token components are categorized asdata components or logic components. Modified token components areformed from the token components in accordance with a policy. The querystatement is reconstructed with the modified token components andoriginal computational logic and control logic associated with the querystatement.

BRIEF DESCRIPTION OF THE FIGURES

The invention is more fully appreciated in connection with the followingdetailed description taken in conjunction with the accompanyingdrawings, in which:

FIG. 1 illustrates a network configured in accordance with an embodimentof the invention

FIG. 2 illustrates processing operations associated with an embodimentof the invention.

FIGS. 3, 4 and 5 illustrate processing operations associated with anembodiment of the query reconstruction processor 122.

FIG. 6 illustrates an access control table processed in accordance withan embodiment of the invention.

FIG. 7 is a data table processed in accordance with an embodiment of theinvention.

FIGS. 8A and 8B illustrate token characterization of tokens of anexemplary query statement.

FIG. 9 illustrates the sequential reconstruction of the exemplary querystatement in accordance with an embodiment of the invention.

Like reference numerals refer to corresponding parts throughout theseveral views of the drawings.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 illustrates a network 100 configured in accordance with anembodiment of the invention. The network 100 includes a server 102connected to a set of servers 104_1 through 104_N a network 106. Theserver 102 can be a master server, while servers 104_1 through 104_N areworker servers in a distributed storage and a distributed processingenvironment. Network 106 may be any combination of wired and wirelessnetworks.

Server 102 includes standard components, such as a central processingunit 110 connected to input/output devices 112 via a bus 114. Theinput/output devices 112 may include a keyboard, mouse, touch displayand the like. A network interface circuit 116 is also connected to thebus 114 to provide connectivity to network 106. A memory 120 is alsoconnected to the bus 114. The memory stores instructions executed by thecentral processing unit 110 to implement operations of the invention. Inparticular, the memory 120 stores a query reconstruction processor 122to implement operations disclosed herein.

Each worker server 104_1 through 104_N also includes standardcomponents, such as a central processing unit 130, bus 134, input/outputdevices 132 and a network interface circuit 136. A memory 140 isconnected to bus 132. The memory 140 stores a worker module 142 toimplement distributed storage and distributed processing operations.

The network 100 may also include a client machine 148. The clientmachine 148 includes standard components, such as a central processingunit 150, input/output devices 152, a bus 154 and a network interfacecircuit 156. A memory 160 is connected to bus 154. The memory 160 storesa client module 162 with instructions executed by the central processingunit 150. The client module 162 may facilitate the formation of a query,which is then directed toward the query reconstruction processor 122 ofmaster server 102.

FIG. 2 illustrates processing operations associated with an embodimentof the query reconstruction processor 122. Initially, a query statementis received 200. The query statement is one of a plurality ofdistributed storage and distributed processing query statements withunique data access methods. Token components are then formed from thequery statement 202. The token components are then categorized 204. Atypical data analysis query language statement, command, or program,contains one of three separate components: data elements, computationallogic and control logic. Categorization of token components includescategorizing the tokens as belonging to each of the three differentcomponents.

Modified token components are then formed 206. Finally, the querystatement is reconstructed. That is, the query reconstruction processor122 determines how the tokens belonging to the data elements need to betranslated or modified to comply with a policy, and reconstructs thestatement with the modified data elements without affecting thecomputational or the control logic. The policy may relate to accesscontrol, query language dialect conversion and/or on the fly queryoptimization.

The query reconstruction processor 122 may include a lexical algorithm,a translation algorithm and execution algorithms that include order by,group by, unique alias, aggregation function, where part merging, metatable join, elimination, redaction and replacement operation algorithms.

The lexical algorithm performs lexical operations on the input querystatement to tokenize the statement and mark the resulting tokensagainst a particular query language's grammar to classify the tokensappropriately as data or logic. This involves breaking down a statementinto ‘words’ and keeping track of the ‘words’ in a data structure thatincludes the name, the class and other information such as types, size,etc. By comparing the tokens against the policy grammar, the ‘words’ aremarked as one of the following: database specific tokens, specialcharacters, language keywords, comments, values, file paths, URIs,aliases and functions. In addition, the statements are marked for startand stop of sections based on the tokens identified, for example startand end of JOIN and ON parts of a HiveQL® statement. In addition, thescope for which a class of the ‘words’ is applicable is also identifiedand marked, for example to distinguish between aliases that are columnaliases, table aliases or sub-query aliases. The translation algorithmthen compares the token identified as data elements against a set ofdata elements, concepts, schemas, etc. known to the system to translateor determine the action to take. A star token may be expanded into thecomponent fields explicitly so that the different fields can be modifiedindividually. Based on the translation, the policy engine cycles throughdifferent execution algorithms to create a modified policy compliantrequest.

FIG. 3 illustrates more detailed operations associated with anembodiment of the query reconstruction processor 122. Initially, thequery is standardized 300. For example, the query may be standardized byremoving tabs, double spaces, and comments. The query is then tokenized302. For example, the tokens may be formed by delimiters such as commas,semicolons, ‘\’ etc. The list of the tokens is then classified intospecific class types 304 based on how the token should be processed inthe rest of the workflow. In the next 10 steps (306-324), various partsof the original query are marked so that it can be processed based onthe markings in subsequent steps. The tokens of the type SQL tokens inthe token list are then marked 306. Constants, keywords and specialcharacters are then marked 308. Special characters, such as doublequotes, are handled 310. A query part flag is marked and each ‘where’clause is processed for a ‘join’ condition 312. Query and subquerypositions are marked 314. ‘Join’ and ‘on’ flag elements are marked 316.‘Group by’, ‘order by’ and ‘having’ clauses are marked 318. Resourceelements are marked 320. They are then stored with sequence numberscomputed for easy computation and in-memory creation of rules lists insteps 326, 328 and 330. Table, column, database, schema, file paths andURIs are then marked in the token list 322. Table alias, subquery andcolumn alias positions are then marked in the token list 324. A tablereference list with all flags is then created 326. A column referencelist with all flags is then created 328. A file path reference listswith all flags is then created 330. The primary type of the query isidentified 332. It is then determined whether the query needs to bemodified 334. If query modification is not needed (334—false), the queryis not changed 336. Query reconstruction is then terminated 338.

If the query needs modification (334—true), it is determined whether thequery is a ‘select’ type query 340. If the query is not a select query(340—false), it is determined whether it is another form of query 342.If so (342—true) processing proceeds to A2 344 of FIG. 5. If the queryis not of the type ‘select’ or a type recognized (342—false), then nochange is required 336 and query reconstruction processing is terminated338.

Returning to block 340, if the query is a select query (340—true), it isdetermined whether the query is expandable 346. If so (346—true), thestar schema is expanded 348 and processing proceeds to A1 350 of FIG. 4.The process of expansion of the ‘*’ replaces the token ‘*’ with thecomma delimited list of tokens for columns that the table contains basedon the information about the table available at the time of the queryprocessing. After the processing at A2 344, the query response isobtained 352 and processing terminates 338. After the processing of A1350, the modified query is obtained 352 and executed.

Turning to FIG. 4 A.1 processing 350 begins by reading a rule from alist of access control rules 400 to operate on the select query with ‘*’expansion and marking done from previous steps. In this example, therules relate to a data access policy. In this example, there are fourtypes of permissions tested at decision blocks 402, 404, 406 and 408. Ifthe rule if of type ‘deny’ (402—true) permission is denied and the ruleis processed in block 410. If the rule is a deny on a file path(412—true), then the file rule reference list is updated to include thegiven rule in block 414. After the file rule reference list is updated,the processing loops to block 416, which tests whether the entire ruleslist has been processed. If there is still an entry in the list,processing returns to block 400. If the entire list has been processed,the modified query is constructed starting with the reading of the querytokens from the query token list in block 426. If the rule is not a denyon a file path (412—false) but on a table instead (418—true), then thetable rule reference list is updated and processing loops to block 416.If the rule is not on a file path (412—false) or a table (418—false) butinstead on a column, then the column rule reference list is updated andprocessing loops to block 416. If the deny rule is not applicable tofile, table or column, then no changes to any rule reference lists aremade and the processing loops to block 416 to iterate over the next rulein the rules list. Similar processing is performed in the case of allowwith filter 404, deny with filter 406 and allow 408 permissions on file,table or column. In case a given rule doesn't match any of the deny(402—false), allow with filter (404—false), deny with filter(406—false), or allow types (408—false), the processing skips to thenext rule in the rules list without changes to any of the file, table orcolumn rule reference lists.

After all the rules in the access control lists are iterated over, fromblock 416 processing proceeds to block 426. A token is read from thequery token list 426. The token is compared with the table rulereference list and if a match is not found (428—false), the selectedtoken is appended to the query string without modification 430. Theprocessing continues through blocks 432 and 426 for the next token untilthe last token of the query string is processed, the final modifiedquery is prepared 434 and the processing returns to block 352 of FIG. 3.

If a match is found between a token in the query string with a tablefrom the table rule reference list (428—true) and the rule for thattable contains a filter (436—true), a new ‘where’ clause is constructedin accordance with the filter rule specified to modify the token 438.Any aliases associated with the table or the column names are discoveredand processed 440 before the modified token with filters and alias isappended to query string 430 and the processing continues through to theend of the original query string (432 and 426). In case the table rulematched in 428 is not a filter rule (436—false) but instead a ‘deny allread’ type (442—true), the processing skips to the preparation of themodified query that reflects the table level deny rule in block 434,before returning to block 352 of FIG. 3.

Consider the case where a match for a table is found (434—true), but afilter rule is not found (436—false) and a deny rule is not found(442—false). In this case, a match is sought for a column rule in thereference list 444. If a match does exist (444—true), column filterrules are evaluated 446. If a rule exists (446—true), a case statementis created and appended 448. Aliases are then handled 440 and controlreturns to block 430. If column filter rules do not exist (446—false), acolumn mask rule 450 is tested. If such a rule exists (450—true) amasking function is added 452. If a column mask rule does not exist(450—false), a column denial rule is checked 454. If a column denialrule exists (454—true), a default expression by data type is accessedand appended 456. Aliases are then handled 440 and control returns toblock 430. When the token list is finally processed, the final query isprepared and buffered 434. Control then returns to block 352 of FIG. 3.

If a match sought for a column rule in the reference list 444 does notexist (444—false), a match is sought for a file path rule in thereference list 458. If a match for the file path does exist (460—true),the file path is modified to a default value reflecting the denypermission, otherwise (460—false) no change to file path is processed.Control then returns to block 430. When the token list is finallyprocessed, the final query is prepared and buffered 434. Control thenreturns to block 352 of FIG. 3.

FIG. 5 illustrates processing associated with A2 of block 344.Initially, the query is checked for insert, load, update, delete oralter commands 500. If such a command exists (500—true) a rule is readfrom the subset of the access control list associated with such commands502 and matched with the resource of type file path, table or column. Ifthe rule is on a file path (504—true), then the file rule reference listis updated to include the given rule 506. After the file rule referencelist is updated, the processing loops to block 508, which tests whetherthe entire rules list has been processed. If there is still an entry inthe list, processing returns to block 502. If the entire list has beenprocessed, the modified query is constructed starting with the readingof the query tokens from the query token list in block 518. If the ruleis not on a file path (504—false), but is on a table instead (510—true),then the table rule reference list is updated and processing loops toblock 508. If the rule is not on a file path (504—false) or a table(510—false) but is instead on a column, then the column rule referencelist is updated 516 and processing loops to block 508. If the rule isnot applicable to file, table or column, then no changes to any rulereference lists are made and the processing loops to block 508 toiterate over the next rule in the rules list.

When the end list check of block 508 is reached, control proceeds toblock 518 where a token is read from the token list. An attempt is madeto match the token to a file path reference list 520. If a match is notfound (520—false), an attempt is made to match the token to a tablereference list 526. If a match is found for a file path (520—true) or atable (526—true) a denial check is made 522. If denial is not necessary(522—false) a loop check for the end of the access control list is made532 and control returns to block 518 if the end is not reached. If thereis a file path denial or a table denial (522—true) a deny response isfetched 524 and an end state 530 is reached. Consider the case where amatch for the file path (520—false) and table is not found (526—false),an attempt is made to match the token to a column 528. If the tokenmatches the column reference list (528—true) a column denial check ismade 530. If there is a column denial (534—true), the column token isswapped with a default pre-defined value representing a deny in block534, before a loop check for the end of the access control list is made532 and control returns to block 518 if the end is not reached. If adenial rule is not necessary (530—false), the column token is leftunmodified and the control returns to block 532.

Returning to block 500 of FIG. 5, if the query does not have thespecified elements (500—false), the query is processed for other validcommands 536. An attempt is made in block 538 to match a tuple of‘resource’ and ‘command’ from the query with tuples in the subset of theaccess control list associated with the query types already processed inblock 340 of FIG. 3 and block 500 of FIG. 5. In block 540 it isdetermined whether a match is found. If a match exists (540—true) anallow permission is tested 542. If allow is applicable (542—true), thequery is forwarded unmodified and processing is completed 548. If allowis not applicable (542—false), the query is modified to conform with adeny format and processing is completed 548. If a match to a validresource or commands is not found (540—false), the query is modified toconform with an error message associated with ‘not available’ response546 and the processing is completed 548.

The foregoing is more fully appreciated in connection with a specificexample. Consider the case of a user “bob” and an access control list ofwith a filter field (filter: first_name=′<userid>′) and a deny command(deny: salary). FIG. 6 illustrates an access control table with aresource column, an access permission column and a filter column. Nowconsider the data table of FIG. 7, which includes a table name column, acolumn name column and a resource column. Now consider the following SQLstatement: select a.*.b.salary as total_income from emp a, payroll bwhere a.employeeid=b.employeeid. The processing of FIG. 3 results in thetable spanning FIG. 8A and FIG. 8B. The table includes a token column.The token column has individual words or tokens of the query. A tokenflag column characterizes the nature of the token (e.g., keyword,special character, alias, schema element, etc.). A token flag categorycharacters a token as a column or table token. A schema sequence numbercolumn ascribes numeric values to keywords. The remaining columns relateto flag values, including query level flag, query part flag, querysequence ID, query number, start query flag, end query flag, added tokenflag and onpart flag.

Since a select query is involved, the processing of FIG. 4 is invoked tosequentially construct a modified query as incrementally shown in FIG.9. The final query is select a.FIRSTNAME, a.EMPLOYEEID, 0 astotal_income from emp a, payroll b where (a.employeeid=b.employeeid) and(a.FIRSTNAME in (‘bob’)).

The following discussion relates to implementation details associatedwith various embodiments of the invention. Any query language processedis standardized by replacing the multiple spaces, tabs, new lines andenter characters with the single space character. Comments are removed.The input statement is tokenized using a delimiter set. That is, a tokenis searched is a database keywords list. If the token is found in thelist, then the token is added in the token list with its specific typeand sub type set. The token is checked if its a constant(integer/float). Then the token is added according to its type in thetoken list. For the keywords which are not found in the keyword list andin a constants list, the token is added in the token list as an invalidor other token (e.g., OTHERTOKEN). If the token to be added is a specialcharacter, then the token is checked for different special charactersand added in the token list according to the type of the token. If thetoken is “*” then the given token is checked for a column element orpart of an expression and then the given “*” token is added in the tokenlist along with appropriate related columns or expressions.

The token is checked to determine if it contains any relational operatorthen that token is added to the token list with type set as relationaloperator. A string between single quotes and double quotes is added as aliteral to the token list. The quotes and the string between the quotesare considered as a single token and type is set according to the quotesadded (SINGQLITERAL/DOUBQLITERAL). The string between the squarebrackets is added as a single string with the type set as other token(ASOTHERTOKEN). If the token is a space character, then the token isadded with type set as SPACEFLAG. The query token array (Indexed QueryToken List) is created from the query token list.

SELECT, FROM and WHERE parts are marked for query level, such as mainquery or subquery. Also marked are the start and end of the MAIN and SUBQUERIES with the help of opening and closing parenthesis. If anyinconsistency found in the number of opening and closing parentheses,then an error is reported. With the help of start of SELECT, FROM andWHERE parts the parts of the complete tokens are marked. The SELECT partis marked from the start of the SELECT part up to the start of the FROMpart. The FROM part is marked from the start of the FROM part up to thestart of the WHERE part. The WHERE part is marked from the start of theWHERE part to the end of the query. If in between the marking of anypart a sub query is started, then its marking is done in the same way asthe start of SELECT, FROM and WHERE parts.

The start and end JOIN and ON parts are marked in the FROM part of thegiven statement. The start and end of JOIN and ON parts are markedaccording to the count of the JOIN and ON keywords in the statement. Thestart of the JOIN part is marked from the token having the JOIN keywordand end is marked at the token where the ON keyword is found. If beforethe ON keyword there is WHERE, ORDER and GROUP keyword found then thetoken previous to that is marked as the end of the JOIN part and the ONpart is not present in that case. If the ON part is present for a JOINcondition then its start is from the ON keyword itself and end is onWHERE, ORDER or GROUP keywords or at the start of new JOIN condition.

In marking of schema elements present in the input statement, theinvalid tokens and the double quoted string literal tokens areconsidered. In the case of marking of schema elements first the FROMpart of the input statement is processed in order to mark the tablespresent in the input. After marking of tokens in the FROM part, theschema elements in the query are marked from the inner nested depth tothe upper levels. The token present is traversed in the given range andthe token is checked for an invalid token or a double quoted string.

The given token is searched in a database sequence tree. If it is notfound, then a check is made for a mapping for the given token at thedatabase level. If the token is found as a database element, then thenext token after the “.” in the Schema Sequence Tree is checked or themapping at the schema level is checked. Thereafter, checks are made fortable and column. If database and schema are marked and the table is notmarked, then the process for the database and schema is also reverted.If the token is not for the database element marking, then the schema issearched. A table and a column is treated in the same way.

After marking of the schema elements in the FROM part the table and subquery aliases are marked. It is determined if the token part is markedas a FROM part. For a FROM part there is a check of whether the token isa start of a sub query in the FROM part. If so, then the list istraversed up to the end of the sub query. After the end of the sub querythere is a check of whether an alias is defined at the end of the query.If the token in the FROM part is not the start of the sub query thenthere is a check for the table element in the FROM part. If the token isthe table element, then there is a check of whether the token is next tothe table element (skipping spaces). An alias is then checked. If analias for the sub query or the table is found then there is a check ofwhether the alias name is the unmapped name. If it is the unmapped name,then it is changed to the real name. The given token is then marked aSUBQUERY or TABLE alias. After the marking of the token, the given tokenis searched in the complete statement and the tokens which are identicalto the alias token are also marked as the alias according to the type ifthey have the “.” as the next token (skipping the spaces in between).

After marking of the schema elements, column aliases are marked. Thestatement is traversed. It is determined whether the token belongs tothe SELECT part. It is determined if the token is a double quoted stringand the previous token is a column element (skipping the spaces inbetween). Then the given token is marked as column alias. If the tokenis an “AS” keyword, then the next token is marked as a column alias. Ifthe type of token is such that the token can be marked as a columnalias, then the previous and next tokens of the given token are checked.If the next token of the given token is the “,” of the SELECT part orthe FROM keyword, then the token can be marked as an alias if theprevious token satisfies the condition. If the token previous to thegiven token is a column element, end of the sub query, “END” keyworditself, single quoted or constant literals, pseudo column or the closingparenthesis “)” then the given token is marked as the column alias. Ifthe alias for the column is found then it is checked whether the aliasname is the unmapped name and if it is unmapped name then change to thereal name. After the marking of the token the given token is searched inthe complete statement and the tokens which are identical to the aliastoken are also marked as the alias if it does not belong to the samestatement and it has no “.” in the tokens next to it.

This section describes the star expansion process for the star presentin the main query SELECT part. The main query SELECT part is searchedfor a ‘*’ and if found it is marked as a column element. Beforeexpanding the star, the table reference list for the given statement isgenerated. The table reference list contains the information about thetable and sub queries used in the FROM part of the input statement. Italso stores the information about the table referenced in the query.Previous tokens of the star are checked (skipping spaces in between).CASE 1: a star comes with some specification. There may be 3 differentspecifications. In the case of a table alias there is a search for thetable for which the given alias is defined. If the schema information isalso given with the table name then, it adds the given information,otherwise it generates the search key with the default schema anddatabase information. For the generated search key for the table it getsall the columns of the given table and adds the given column in theexpanded list for the ‘*’. In the case of a table name the schemainformation for the table given is fetched in the specification with the‘*’. If the schema information is not present with the table, then itgenerates the search key with the default schema and databasespecification. For the generated search key for the table it gets allthe columns of the given table and adds the given column in the expandedlist for the ‘*’. In the case of a sub query alias, the start and theend of the sub query is found. The alias is added as a specificationwith the ‘*’. A SELECT column list for the sub query is generated. Thecomplete SELECT column list for the statement is traversed. If theSELECT column node contains the ‘*’ then the table reference list forthat sub query is generated and the star is expanded for the given subquery. The expanded nodes are inserted in the list where columns areadded for the expanded star. If the SELECT column node does not containthe ‘*’ then the given node is inserted in the expanded list by checkingthe alias for the node.

CASE 2: a star comes without any specification. In this case, the startof the table reference list is identified for the given statement.Before processing the particular table reference node, the queryseparator index for the given node and the query separator index for the‘*’ are checked. If both are identical, then it is processed. Then thetable reference node type is checked. If the type is “TABLE” then thesearch key for the given table is generated and its column list isobtained. The list of the column with the specification of table isadded in the link list generated to be replaced with the column. If thetype of the table reference node is “sub query” then, the start and theend of the sub query is obtained and the SELECT column list is generatedfor the given statement. If the sub query does not have the aliasdefined for it in the statement, then a unique alias is generated forthe given sub query. The complete SELECT column list for the givenstatement is traversed. If the SELECT column node contains the ‘*’ thenthe table reference list for that sub query is generated and the star isexpanded for the given sub query. The expanded nodes are inserted in thelist where columns are added for the expanded star. If the SELECT columnnode does not contain the ‘*’ then the given node is inserted in theexpanded list by checking the alias for the node.

This section describes the algorithm used to find an expression. Thisalgorithm is called once the query tokenization and marking of a querypart is completed. Each token of the input statement is checked todetermine whether the type of the current token is ASOTHERTOKEN. If thetype is not other token then, there is a check of whether the currenttoken is one of the following keywords: FROM, WHERE, ORDER, GROUP, BY,HAVING, AND, OR. If the token is one of the given keywords, then thealgorithm updates the last index to the current token index+1. This lastindex is used to determine the start of the expression. If the type ofthe current token is marked as the other token, then it loops the tokenfrom the last index up to the total token count. While looping, it takescare of the opening and closing parenthesis count and the CASE and ENDtokens. It breaks the loop when the parenthesis count is zero and thereis no open case statement and the current token of the inner loop issomething which can be used to end the current expressions for example(“,”, FROM, WHERE, AND, OR, GROUP, BY, ORDER etc.). While breaking, itmarks the previous token as the end of the expression and updates thelast index to current index+1 for the next expression. Next, there is asearch for the given input expression in the list of the expressionsstored in the memory. The search is made by comparing each token of acomplete expression list with the token of the current inputexpressions. If any expression is matched then, there is a search for amap name from the mapping information populated for real to virtualun-mapping. The mapping information returns the name of the virtualcolumn (label). The current input expression information is stored inthe back trace list which is used in case of virtual to physicalun-mapping after access control. The current input expression is changedto the virtual label with which it is mapped. If the expression is thepart of the main query select part, then the main query select part issearched to determine if the alias is defined for the expression or not.If not, then the structure which will be used later to add a columnlevel alias for the expression is updated.

The following describes generation of the back trace list at the time ofreal to virtual un-mapping, which is used by the virtual to realun-mapping process after access control. This section describes thenodes added in the back trace list for the one to one element mapping.The nodes for the expression based mapping are added at the time when anexpression is found in the input and is replaced by the virtual columnexplained above.

Each token of the input statement is checked to determine whether themap name boolean flag for the current token is set to TRUE. If it is notset to TRUE, then the token is skipped. If the flag is set to TRUE, thenmemory is allocated for the back trace list node and its data. Backtrace node data for the current node is populated. The informationstored may include level of the node (Database/Schema/Table/column),type of mapping (one to one), physical element value, virtual elementvalue, part and level of the token in the input statement, andtable/column sequence order. If the current token is of type TABLE, thenthe complete input list is traversed to search if the alias is definedfor the given table. If the alias is defined, then that aliasinformation is stored along with the back trace data. After storing thecomplete information in the back trace node the current node is insertedinto the back trace list. This back trace list is used at the time ofun-mapping from virtual to physical layer.

The UNMAP method resolves the UNMAP condition. The UNMAP conditioncontains the virtual elements that need to be resolved with theirphysical counterparts. The whole input condition is parsed to find themapping for each element. If the mapping of the column or table is foundin the back trace list, then the virtual column or table element isreplaced with the token that that is associated with the mapping. Theremay be three cases: (1) if the case is virtual_table.virtual_column,then UNMAP both the table and column, (2) if the case isalias.virtual_column, then do not change the alias but the column, (3)if the case is virtual_column only, then UNMAP the column. If themapping is not found in back trace list then there are three cases (1)if the element is a valid physical element do not do anything (keep thiselement as it is), (2) if the columns table is used in the currentstatement and if the case is virtual_table.virtual_column and mapping ofvirtual_column is not found in the back trace list, then first find thephysical table and physical column for this virtual column. If thisphysical table is found in the back trace list, then the table andcolumn are replaced with the tokens associated with the mapping. Thethird case is if the alias.virtual_column and mapping of virtual_columnare not found in the back trace list, then the physical table andphysical column for this virtual column is searched for first. If thisphysical table is found in the back trace list, then the physicaltable's alias and the physical column are replaced with this mapping. Ifthe case is virtual_column only and mapping of virtual_column is notfound in back trace list, then the physical table and physical columnfor this virtual column are searched for first. If this physical tableis found in the back trace list, the physical column is replaced withthis mapping.

An embodiment of the present invention relates to a computer storageproduct with a non-transitory computer readable storage medium havingcomputer code thereon for performing various computer-implementedoperations. The media and computer code may be those specially designedand constructed for the purposes of the present invention, or they maybe of the kind well known and available to those having skill in thecomputer software arts. Examples of computer-readable media include, butare not limited to: magnetic media, optical media, magneto-optical mediaand hardware devices that are specially configured to store and executeprogram code, such as application-specific integrated circuits(“ASICs”), programmable logic devices (“PLDs”) and ROM and RAM devices.Examples of computer code include machine code, such as produced by acompiler, and files containing higher-level code that are executed by acomputer using an interpreter. For example, an embodiment of theinvention may be implemented using JAVA®, C++, or other object-orientedprogramming language and development tools. Another embodiment of theinvention may be implemented in hardwired circuitry in place of, or incombination with, machine-executable software instructions.

The foregoing description, for purposes of explanation, used specificnomenclature to provide a thorough understanding of the invention.However, it will be apparent to one skilled in the art that specificdetails are not required in order to practice the invention. Thus, theforegoing descriptions of specific embodiments of the invention arepresented for purposes of illustration and description. They are notintended to be exhaustive or to limit the invention to the precise formsdisclosed; obviously, many modifications and variations are possible inview of the above teachings. The embodiments were chosen and describedin order to best explain the principles of the invention and itspractical applications, they thereby enable others skilled in the art tobest utilize the invention and various embodiments with variousmodifications as are suited to the particular use contemplated. It isintended that the following claims and their equivalents define thescope of the invention.

The invention claimed is:
 1. A server, comprising: a network interfacecircuit connected to a network; a processor connected to the networkinterface circuit; and a memory connected to the processor, the memorystoring instructions executed by the processor to: receive a querystatement from a client machine; form token components from the querystatement; categorize each token component of the token components asone of a data component, a computational logic component or a controllogic component; form modified token components from the tokencomponents in accordance with a policy; reconstruct the query statementwith the modified token components and computational logic and controllogic associated with the query statement to form a policy compliantquery statement; and coordinate execution of the policy compliant querystatement on worker machines connected to the network.
 2. The server ofclaim 1 wherein the policy is an access control policy.
 3. The server ofclaim 1 wherein the policy is a query language dialect conversionpolicy.
 4. The server of claim 1 wherein the policy is a queryoptimization policy.
 5. The server of claim 1, wherein the tokencomponents are alternately categorized as database specific tokens,special characters, language keywords, comments, values, aliases, filepaths, URIs and functions.
 6. The server of claim 1, wherein the tokencomponents are formed based on lexical operations performed on the querystatement.
 7. The server of claim 1, wherein each token component of thetoken components is categorized by comparing each token component of thetoken components against a grammar utilized by a query language in whichthe query statement is formulated.
 8. A method, comprising: receiving aquery statement from a client machine; forming token components from thequery statement; categorizing each token component of the tokencomponents as one of a data component, a computational logic componentor a control logic component; forming modified token components from thetoken components in accordance with a policy; reconstructing the querystatement with the modified token components, computational logic, andcontrol logic associated with the query statement to form a policycompliant query statement; and coordinating execution of the policycompliant query statement on worker machines connected to a network. 9.The method of claim 8, wherein the policy is an access control policy.10. The method of claim 8, wherein the policy is a query languagedialect conversion policy.
 11. The method of claim 8, wherein the policyis a query optimization policy.
 12. The method of claim 8, wherein thetoken components are alternately categorized as database specifictokens, special characters, language keywords, comments, values,aliases, file paths, URIs and functions.
 13. The method of claim 8,wherein said forming comprises: forming token components based onlexical operations performed on the query statement.
 14. The method ofclaim 8, wherein said categorizing comprises: categorizing each tokencomponent of the token components by comparing each token component ofthe token components against a grammar utilized by a query language inwhich the query statement is formulated.
 15. A computer-readable storagedevice comprising program instructions that, when executed by at leastone processor of a computing device, perform a method, the methodcomprising: receiving a query statement from a client machine; formingtoken components from the query statement; categorizing each tokencomponent of the token components as one of a data component, acomputational logic component or a control logic component; formingmodified token components from the token components in accordance with apolicy; reconstructing the query statement with the modified tokencomponents, computational logic, and control logic associated with thequery statement to form a policy compliant query statement; andcoordinating execution of the policy compliant query statement on workermachines connected to a network.
 16. The computer-readable storagedevice of claim 15, wherein the policy is an access control policy. 17.The computer-readable storage device of claim 15, wherein the policy isa query language dialect conversion policy.
 18. The computer-readablestorage device of claim 15, wherein the policy is a query optimizationpolicy.
 19. The computer-readable storage device of claim 15, whereinthe token components are alternately categorized as database specifictokens, special characters, language keywords, comments, values,aliases, file paths, URIs and functions.
 20. The computer-readablestorage device of claim 15, wherein said forming comprises: formingtoken components based on lexical operations performed on the querystatement.